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General Motors Today 


Our company 


* General Motors has been 
pushing the limits of 
transportation and technology 
for over 100 years 


= We envision a future of zero 
crashes, zero emissions and zero 
congestion 


= 2.6 Billion EV miles driven in GM 
Vehicles 
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Security Vulnerabilities Landscape 


What is a security vulnerability? 


A weakness in a system or product that could allow an attacker to compromise the 
integrity, availability or confidentiality of that system or product. 


Examples of security vulnerabilities: 
* Weaknesses that are not intended by-design 
* An application that allows access without authentication 


* An unprivileged user being able to change his own permission level into an application 


- 


e Default credentials, leaked credentials, misconfigured systems, XSS, SOLi, etc. 
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State of Vulnerability Detection 
© Qualys. 


DB Vulnerability 
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Fortify Weblnspect 
Web App Security 


OS Vulnerability 


No correlation of vulnerability data to calculate overall system risk, tracking ownership, or prioritizing remediation 
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Vulnerability Management at Scale 


o centric approach for 
effective correlation, prioritization, 
notification, and tracking 


Prioritization of critical systems 


Correlation of all vulnerability information 
across all components which make up a 
system 


Prioritization of vulnerabilities based on 
impact, asset value, and threat intelligence 


Automated analysis and prioritization of 
e ai based on impact and system 
ris 


Overall application security risk status, 
prioritized view and remediation focused on 
most critical vulnerabilities 
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Application & Asset Inventory 
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Asset & Vulnerability Prioritization 


* Asset Prioritization: 


Safety 

Information Confidentiality 
System Availability 

Data Integrity 

Accessibility 

Regulatory Requirements 
Critical / Security Infrastructure 


* Vulnerability Prioritization: 
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Base score 
Threat Landscape Modifier 
Digital Asset Value 


Vulnerability 
Base Score 
Threat Landscape a Vulnerability 
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Vulnerability Correlation 
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Self Service Model 


* Opportunity: 
* Empower application development teams to manage vulnerabilities associated with their 
applications 
* Self-service model 
* Continuous application security process 


e Solution 
* Automated continuous security assessments 
* Remediation ownership 
* Automated security checkpoints 
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Self Service Model 


Application 14917 IRS 
e Consolidated view of vulnerabilities 
associated with a system Infrastructure Summary 
e Modular architecture to allow for SORGEN 


other vulnerability sources to 
integrate with the model 


Static Security Summary 
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View Details 
View Details View Details 
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G Static Security Summary 


Self Service Model 


ssments must be performed on all branches that are part of a project for code developed at GM. Refer to instructions for details. 


Linkto SSC 


510 NA 510 NA 


* Pass / Fail results for each component "m | T" 
* Ability to quickly get feedback to mesas onov sven 
application teams as remediation 
changes are Made to the application — 5... 


Dynamic Web Application Security (WAS) Details 


Scan name: 177036 - 


Download Report 


or Vulnerability/ 
Website ID Website Name Website Production URL URL Assessed Assessment Status 


177036 Vehicle Communication Services https; FAILED (Expired) 10/21/2019 15:09:32 
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Summary 


* As technologies continue to evolve, the vulnerability landscape continues 
to get more complex 


* The speed at which business is changing, requires a different approach to 
vulnerability management 


* Self-service, automated vulnerability detection and remediation 
capabilities are critical to build an enterprise security vulnerability 
management program at scale 
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